As is the case with the Gramm-Leach-Bliley Act as a whole, the privacy title adopts the "functional regulator" approach to enforcement. A financial institution's primary federal regulator also enforces the privacy title.
Notably, the statute gives the Federal Reserve Board privacy enforcement authority over bank holding companies and their nonbank subsidiaries. Exceptions are brokers, dealers, investment companies, and advisers, which the Securities and Exchange Commission oversees, and insurance companies, over which the appropriate state regulators have enforcement authority.
The Federal Reserve Board is clearly given responsibility for many nonbank subsidiaries of bank holding companies over which the Federal Trade Commission had long sought authority. Nevertheless, the FTC is given responsibility for entities that are not otherwise covered by the title's enforcement scheme, such as a merchant or manufacturer that extends credit and is not part of a bank holding company structure.
The statute's enforcement provisions make clear that the privacy title is to be enforced by the designated regulators. No private rights of action are provided under the statute against financial institutions or their corporate families for violations of the title. Though the law states that each institution has an affirmative and continuing obligation to respect the privacy of its customers and protect the security of customer information, that statement alone does not create privately enforceable obligations.
Recognizing this, the title directs the federal banking agencies to carry out congressional policy by establishing standards for procedural and physical safeguards to protect customer information. These standards are to be implemented in the same manner, to the extent practicable, as the safety and soundness standards prescribed by the federal banking agencies for depository institutions under section 39(a) of the Federal Deposit Insurance Act.
In addition, the privacy title contemplates two separate rulemaking efforts by federal banking agencies: one relating to the federal Fair Credit Reporting Act and a second to implement the privacy title itself.
As amended, the fair-credit law directs federal banking agencies to jointly issue "such regulations as necessary to carry out the purposes" of this legislation. The resulting joint regulations would apply to all banks and thrifts regulated by the federal agencies. The National Credit Union Administration also is instructed to issue fair-credit regulations for federally insured credit unions.
The banking agency regulations apply to all nonbank entities within bank holding company families. The statute directs the Federal Reserve Board to promulgate fair-credit regulations "consistent with" the joint banking agency regulations that would apply to holding companies and their nonbank affiliates - including insurance companies, brokers, dealers, investment companies, and advisers.
This is a significant change. Since 1970, no agency has been given rulemaking authority under the fair-credit act, though in 1996 the Fed was authorized to issue interpretations of federally regulated financial institutions and subsidiaries of bank holding companies. Also, while the FTC historically has taken the lead in providing informal guidance under the fair-credit act, the commission has no authority to issue regulations pertaining to it.
These rulemaking provisions likely spell the demise of a long-anticipated joint Federal Reserve-FTC commentary on the Fair Credit Reporting Act. The guidelines were in the works nearly two years and were expected to have a formal notice and comment period. Given the new rulemaking mandate of the federal banking agencies, the Fed is expected to scuttle this effort and refocus attention on promulgating regulations involving the credit act.
The second set of rules authorized by the privacy title are those that enforce the title itself. Each of the title's federal enforcement authorities is directed to prescribe, in consultation with state insurance representatives and one another, "such regulations as may be necessary to carry out the purposes" of the title for entities subject to that authority's jurisdiction. Federal banking agencies will promulgate regulations for banks and thrifts, while the National Credit Union Administration will do so for federal credit unions.
The Securities and Exchange Commission again is likewise authorized to issue regulations for brokers, dealers, investment companies, and advisers. And FTC-developed rules will apply to any entity for which that agency enforces the privacy title, such as nonbanks that are not a part of a bank holding company.
There is one wrinkle involving insurance companies. Given the longstanding primary responsibility of the states for insurance regulation, the statute and its legislative history encourage - but under the federal-state divide cannot require - state authorities to issue regulations for insurance companies subject to their jurisdiction.
This fragmented rulemaking scheme has generated concern that entities within the same bank holding company could be subject to many different rules issued by different regulators. Within a holding company, broker, dealer, investment company, and adviser subsidiaries will be subject to the SEC rules; insurance subsidiaries will have to comply with any applicable regulations issued by the various state insurance regulators - and even the bank, thrift and remaining nonbank subsidiaries will be subject to applicable regulations issued by the various federal bank agencies.
Because Congress recognized the potential difficulties, the statute directs regulators, in crafting regulations implementing the privacy title, to "consult and coordinate" with one another to ensure that all the privacy title rules are as "consistent and comparable" as possible. To promote consistency, the federal banking agencies may elect voluntarily to issue joint privacy regulations through the Federal Financial Institutions Examination Council.
Regardless, the statute provides a very short time window for rule-writing. The regulations are to be issued in final form by May 12, with the statute itself becoming effective six months later. Under the Administrative Procedure Act, regulations will need to be issued in proposed form early next year if the agencies are to have any chance of meeting this deadline. Consequently, it is possible that the initial rules will be relatively skeletal, providing guidance only on key elements of, and the most problematic issues raised by, the privacy title.
Federal regulators are given two important additional powers under the privacy title's rulemaking provisions. First, they are authorized to prescribe additional exceptions to the privacy policy and notice and opt-out requirements, as well as to the account-number prohibition and onward transfer restrictions. Given the relatively rapid pace with which the privacy provisions were drafted and enacted, such exceptions are likely to be required for operational and other reasons.
Second, federal regulators are authorized to set an effective date later than that specified in the law - Nov. 12, 2000. This will be particularly important if regulators fail to meet the statute's ambitious rulemaking deadline. It seems only equitable that the effective date of the title be delayed, since the statute as enacted envisions at least a six-month lag between the time that regulations are finalized and the date the title takes effect. Moreover, it is quite possible that regulators will determine that more time is required for compliance with the many new requirements. The authors are lawyers in the Washington office of Morrison & Foerster LLP. This is the third of four articles on the financial modernization law's privacy provisions.
